Apache HTTP Server Version 2.5
-
Apache HTTP Server Version 2.5
-
AsyncFilter CGIMapExtension CGIPassAuth CGIVar ContentDigest DefaultRuntimeDir DefaultType ForceType GprofDir HostnameLookups HttpProtocolOptions <If> <IfDefine> <IfModule> <VirtualHost> Warning
Note that a syntax error in a valid directive will still cause - an internal server error.
+ an Internal Server Error.In the example above, only the Redirect and
RedirectMatch directives are allowed. All others will
- cause an internal server error.
Example:
@@ -603,7 +608,7 @@ AllowOverrideList CookieTracking CookieName grants permission to theAuthConfig
directive grouping and AllowOverrideList grants
permission to only two directives from the FileInfo directive
- grouping. All others will cause an internal server error.
+ grouping. All others will cause an Internal Server Error.
ap_add_common_vars() may choose to respect the setting
as well.
+| Description: | Controls how some CGI variables are set |
|---|---|
| Syntax: | CGIVar variable rule |
| Context: | directory, .htaccess |
| Override: | FileInfo |
| Status: | Core |
| Module: | core |
| Compatibility: | Available in Apache HTTP Server 2.4.21 and later |
This directive controls how some CGI variables are set.
+ +REQUEST_URI rules:
+original-uri (default)current-urimod_rewrite. In order to prevent confusion, numbered
(unnamed) backreferences are ignored. Use named groups instead.
-<DirectoryMatch "^/var/www/combined/(?<sitename>[^/]+)"> +<DirectoryMatch "^/var/www/combined/(?<sitename>[^/]+)"> Require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example </DirectoryMatch>@@ -1040,7 +1071,7 @@ sections are combined when a request is receivedDescription: Directory that forms the main document tree visible from the web - Syntax: DocumentRoot directory-path+ Default: DocumentRoot /usr/local/apache/htdocsDefault: DocumentRoot "/usr/local/apache/htdocs"Context: server config, virtual host Status: Core @@ -1347,12 +1378,12 @@ in case of an error whether the parameter is an URL, a path or a message is performed before any expression is parsed. Examples: - Module: core ErrorDocument 500 http://foo.example.com/cgi-bin/tester -ErrorDocument 404 /cgi-bin/bad_urls.pl +ErrorDocument 500 http://example.com/cgi-bin/server-error.cgi +ErrorDocument 404 /errors/bad_urls.php ErrorDocument 401 /subscription_info.html -ErrorDocument 403 "Sorry can't allow you access today" +ErrorDocument 403 "Sorry, can't allow you access today" ErrorDocument 403 Forbidden! -ErrorDocument 403 /cgi-bin/forbidden.pl?referrer=%{escape:%{HTTP_REFERER}}+ErrorDocument 403 /errors/forbidden.py?referrer=%{escape:%{HTTP_REFERER}}Additionally, the special value
defaultcan be used @@ -1620,7 +1651,7 @@ ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M%This would result in error messages such as:
-+-
+@@ -1827,7 +1858,7 @@ filenames does. However, it accepts a regular expression. For example:
[Thu May 12 08:28:57.652118 2011] [core:error] [pid 8777:tid 4326490112] [client ::1:58619] File does not exist: /usr/local/apache2/htdocs/favicon.ico<FilesMatch ".+\.(gif|jpe?g|png)$"> +<FilesMatch ".+\.(gif|jpe?g|png)$"> # ... </FilesMatch>@@ -1845,7 +1876,7 @@ filenamesmod_rewrite. In order to prevent confusion, numbered (unnamed) backreferences are ignored. Use named groups instead. -<FilesMatch "^(?<sitename>[^/]+)"> +<FilesMatch "^(?<sitename>[^/]+)"> require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example </FilesMatch>@@ -1994,6 +2025,82 @@ media type in the HTTP Content-Type header field directives, a hostname lookup will be performed regardless of the setting ofHostnameLookups. ++HttpProtocolOptions Directive
++
++ Description: Modify restrictions on HTTP Request Messages + Syntax: HttpProtocolOptions [Strict|Unsafe] [StrictURL|UnsafeURL] + [RegisteredMethods|LenientMethods] [Allow0.9|Require1.0]+ Default: HttpProtocolOptions Strict StrictURL LenientMethods Allow0.9+ Context: server config, virtual host + Status: Core + Module: core + Compatibility: 2.2.32 or 2.4.24 and later This directive changes the rules applied to the HTTP Request Line + (RFC 7230 §3.1.1) and the HTTP Request Header Fields + (RFC 7230 §3.2), which are now applied by default or using + the
+ +Strictoption. Due to legacy modules, applications or + custom user-agents which must be deperecated,Unsafe+ andUnsafeURLoptions have been added to revert to the legacy + behaviors. These rules are applied prior to request processing, so must be + configured at the global or default (first) matching virtual host section, + by IP/port interface and not by name, to be honored.Prior to the introduction of this directive, the Apache HTTP Server + request message parsers were tolerant of a number of forms of input + which did not conform to the protocol. + RFC 7230 §9.4 Request Splitting and + §9.5 Response Smuggling call out only two of the potential + risks of accepting non-conformant request messages, while + RFC 7230 §3.5 "Message Parsing Robustness" identify the + risks of accepting obscure whitespace and request message formatting. + As of the introduction of this directive, all grammer rules of the + specification are enforced in the default
+ +Strictoperating + mode, and the strict whitespace suggested by section 3.5 is enforced + and cannot be relaxed.RFC 3986 §2.2 and 2.3 define "Reserved Characters" and + "Unreserved Characters". All other character octets are required to + be %XX encoded under this spec, and RFC7230 defers to these requirements. + By default the
+ +StrictURIoption will reject all requests + containing invalid characters. This rule can be relaxed with the +UnsafeURIoption to support badly written user-agents.Users are strongly cautioned against toggling the
+ +Unsafe+ orUnsafeURImodes of operation, particularly on + outward-facing, publicly accessible server deployments. + If an interface is required for faulty monitoring or other custom service + consumers running on an intranet, users should toggle only those Unsafe + options which are necessary, and only on a specific virtual host configured + to service only their internal private network.Reviewing the messages logged to the
+ +ErrorLog, + configured withLogLeveldebuglevel, + can help identify such faulty requests along with their origin. + Users should pay particular attention to the 400 responses in the access + log for invalid requests which were unexpectedly rejected.RFC 7231 §4.1 "Request Methods" "Overview" requires that + origin servers shall respond with an error when an unsupported method + is encountered in the request line. This already happens when the +
+ +LenientMethodsoption is used, but administrators may wish + to toggle theRegisteredMethodsoption and register any + non-standard methods using theRegisterHttpMethod+ directive, particularly if theUnsafeoption has been toggled. + TheRegisteredMethodsoption should not + be toggled for forward proxy hosts, as the methods supported by the + origin servers are unknown to the proxy server.RFC 2616 §19.6 "Compatibility With Previous Versions" had + encouraged HTTP servers to support legacy HTTP/0.9 requests. RFC 7230 + superceeds this with "The expectation to support HTTP/0.9 requests has + been removed" and offers additional comments in + RFC 7230 Appendix A. The
+Require1.0option allows + the user to remove support of the defaultAllow0.9option's + behavior.@@ -3602,7 +3709,7 @@ directory<If> Directive
@@ -2830,7 +2937,7 @@ matching URLsmod_rewrite. In order to prevent confusion, numbered (unnamed) backreferences are ignored. Use named groups instead. -<LocationMatch "^/combined/(?<sitename>[^/]+)"> +<LocationMatch "^/combined/(?<sitename>[^/]+)"> require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example </LocationMatch>@@ -3341,10 +3448,10 @@ or specified mutexes holding a mutex that uses this implementation, the server will deadlock and stop responding to requests. When this occurs, the server will require a manual restart to recover. -Solaris is a notable exception as it provides a mechanism which +
Solaris and Linux are notable exceptions as they provide a mechanism which usually allows the mutex to be recovered after a child process terminates abnormally while holding a mutex.
-If your system implements the +
If your system is POSIX compliant or if it implements the
pthread_mutexattr_setrobust_np()function, you may be able to use thepthreadoption safely.Normally, if multiple
Optionscould apply to a directory, then the most specific one is used and - others are ignored; the options are not merged. (See how sections are merged.) + others are ignored; the options are not merged. (See how sections are merged.) However if all the options on theOptionsdirective are preceded by a+or-symbol, the options are @@ -3765,7 +3872,7 @@ directoryQualifyRedirectURL Directive
-
Description: Controls whether the REDIRECT_URL environent variable is + Description: Controls whether the REDIRECT_URL environment variable is fully qualified Syntax: QualifyRedirectURL ON|OFF@@ -4070,7 +4177,7 @@ to name-virtual hosts in the order they appear in the configuration. The first matching Default: QualifyRedirectURL OFFServerNameorServerAliasis used, with no different precedence for wildcards (nor for ServerName vs. ServerAlias). -The complete list of names in the
VirtualHost+The complete list of names in the
@@ -4086,20 +4193,24 @@ to name-virtual hosts<VirtualHost>directive are treated just like a (non wildcard)ServerAlias.
- Description: Hostname and port that the server uses to identify itself + Syntax: ServerName [scheme://]fully-qualified-domain-name[:port]Syntax: ServerName [scheme://]domain-name|ip-address[:port]Context: server config, virtual host Status: Core Module: core The
+ request scheme, hostname and port that the server uses to identify itself. + -ServerNamedirective sets the - request scheme, hostname and - port that the server uses to identify itself. This is used when - creating redirection URLs.Additionally,
ServerNameis used (possibly - in conjunction withServerAlias) to uniquely ++
ServerNameis used (possibly + in conjunction withServerAlias) to uniquely identify a virtual host, when using name-based virtual hosts.Additionally, this is used when + creating self-referential redirection URLs when +
+UseCanonicalNameis set to a non-default + value.For example, if the name of the machine hosting the web server is
-simple.example.com, but the machine also has the DNS aliaswww.example.com@@ -4114,9 +4225,10 @@ itself each appearance overrides the previous appearance (within that server).If no
+ServerNameis specified, then the - server attempts to deduce the client visible hostname by performing a - reverse lookup on an IP address of the systems hostname.If no
ServerNameis specified, the + server attempts to deduce the client visible hostname by first asking + the operating system for the system hostname, and if that fails, + performing a reverse lookup on an IP address present on the system.If no port is specified in the
ServerName, then the server will use the @@ -4331,11 +4443,12 @@ header
- Description: Forces all matching files to be processed by a handler + Syntax: SetHandler handler-name|NoneSyntax: SetHandler handler-name|none|expressionContext: server config, virtual host, directory, .htaccess Override: FileInfo Status: Core + Module: core Compatibility: 2.5 and later When placed into an
.htaccessfile or a<Directory>or @@ -4368,6 +4481,14 @@ handler </FilesMatch> +String-valued expressions can be used to reference per-request + variables, including backreferences to named regular expressions:
+ +<LocationMatch ^/app/(?<sub>[^/]+)/> + SetHandler "proxy:unix:/var/run/app_%{env:MATCH_sub}.sock|fcgi://localhost:8080" +</LocationMatch>+ +You can override an earlier defined
@@ -4458,10 +4579,14 @@ certain events before failing a requestSetHandlerdirective by using the valueNone.The
-TimeOutdirective defines the length of time Apache httpd will wait for I/O in various circumstances:-
+ @@ -4501,16 +4626,18 @@ certain events before failing a request- When reading data from the client, the length of time to +
+
- + empty. +
When reading data from the client, the length of time to wait for a TCP packet to arrive if the read buffer is - empty.
For initial data on a new connection, this directive doesn't + take effect until after any configured
++ AcceptFilterhas passed the new connection to the server.- When writing data to the client, the length of time to wait for an acknowledgement of a packet if the send buffer is @@ -4476,7 +4601,7 @@ certain events before failing a request
- In
-mod_proxy, the default timeout value ifProxyTimeoutis not configured.Finally, for testing and diagnostic purposes only, request bodies may be allowed using the non-compliant
+ body. As a proxy server, the request body is not restricted to 64Kb.TraceEnable extendeddirective. The core (as an origin server) will - restrict the request body to 64k (plus 8k for chunk headers if + restrict the request body to 64Kb (plus 8Kb for chunk headers ifTransfer-Encoding: chunkedis used). The core will reflect the full headers and all chunk headers with the response - body. As a proxy server, the request body is not restricted to 64k.Note
-Despite claims to the contrary,
+ +TRACEis not - a security vulnerability, and there is no viable reason for - it to be disabled. Doing so necessarily makes your server - noncompliant.Despite claims to the contrary, enabling the
+TRACE+ method does not expose any security vulnerability in Apache httpd. + TheTRACEmethod is defined by the HTTP/1.1 + specification and implementations are expected to support it.